Adding Apigee IAM Conditions to policies

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

This page describes how to add IAM Conditions to your Apigee resources. An IAM Condition lets you have granular control over your Apigee resources.

Before you begin

Apigee uses Google Cloud's Identity and Access Management (IAM) to manage roles and permissions for Apigee's resources. Therefore, before you specify or modify conditions in IAM for your Apigee resources, familiarize yourself with the following IAM concepts:

Adding IAM Conditions

To add an IAM condition to an Apigee resource, you need the following information:

Examples

The table lists a few sample resource conditions and the corresponding permissions:

Condition Description
resource.name.startsWith("organizations/{org-name}/apis/catalog-") || resource.type == "cloudresourcemanager.googleapis.com/Project"

This condition provides the following permissions:

  • List all proxies
  • Get, Create, Update, and Delete operations on API proxies whose name starts with catalog-.
  • All operations on the Revision and KeyValueMap resources belonging to the catalog-* API proxies.
(resource.name.startsWith("organizations/{org-name}/apis/catalog-proxy/keyvaluemaps") && resource.type == "apigee.googleapis.com/KeyValueMap") || resource.type == "cloudresourcemanager.googleapis.com/Project" This condition provides permissions for Get, Create, Update, and Delete operations on KeyValueMaps in the catalog-proxy API proxy.
resource.type == "apigee.googleapis.com/Proxy" || resource.type == "cloudresourcemanager.googleapis.com/Project" This condition provides permissions for List, Get, Create, Update, and Delete operations on all API proxies.

What's next

Go through the following information in the IAM documentation: